CVE-2013-4545
published 2013-11-23CVE-2013-4545: cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the…
PriorityP420medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
0.35%
57.9th percentile
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Affected
73 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | curl | < curl 7.33.0-1 (bookworm) | curl 7.33.0-1 (bookworm) |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
curl vulnerability
vendor_ubuntu·2013-12-05
CVE-2013-4545 curl vulnerability
Title: curl vulnerability
Summary: Fraudulent security certificates could allow sensitive information to
be exposed when accessing the Internet.
Scott Cantor discovered that libcurl incorrectly verified CN and SAN name
fields when digital signature verification was disabled. When libcurl is
being used in this uncommon way by specific applications, an attacker could
exploit this to perform a machine-in-the-middle attack to view sensitive
information or alter encrypted communications.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
curl: TLS/SSL certificate name check disabled with peer verification
vendor_redhat·2013-11-15·CVSS 4.3
CVE-2013-4545 [MEDIUM] curl: TLS/SSL certificate name check disabled with peer verification
curl: TLS/SSL certificate name check disabled with peer verification
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Statement: Not vulnerable. This issue did not affect the versions of curl as shipped with Red Hat Enterprise Linux 5 and 6.
Package: curl (Red Hat Enterprise Linux 5) - Not affected
Package: curl (Red Hat Enterprise Linux 6) - Not affected
Package: curl (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2013-4545: curl - cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the ce...
vendor_debian·2013·CVSS 4.3
CVE-2013-4545 [MEDIUM] CVE-2013-4545: curl - cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the ce...
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Scope: local
bookworm: resolved (fixed in 7.33.0-1)
bullseye: resolved (fixed in 7.33.0-1)
forky: resolved (fixed in 7.33.0-1)
sid: resolved (fixed in 7.33.0-1)
trixie: resolved (fixed in 7.33.0-1)
GHSA
GHSA-94rh-gwj6-33j3: cURL and libcurl 7
ghsa_unreviewed·2022-05-17
CVE-2013-4545 [MEDIUM] GHSA-94rh-gwj6-33j3: cURL and libcurl 7
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
OSV
CVE-2013-4545: cURL and libcurl 7
osv·2013-11-23·CVSS 4.3
CVE-2013-4545 [MEDIUM] CVE-2013-4545: cURL and libcurl 7
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-6422 curl: TLS/SSL certificate name check disabled with peer verification when using GnuTLS
bugzilla·2013-12-04·CVSS 4.3
CVE-2013-6422 [MEDIUM] CVE-2013-6422 curl: TLS/SSL certificate name check disabled with peer verification when using GnuTLS
CVE-2013-6422 curl: TLS/SSL certificate name check disabled with peer verification when using GnuTLS
Curl upstream reported an issue (similar to CVE-2013-4545) related to the verification of the connection host name against the server name specified in a TLS/SSL server certificate. When libcurl was built using GnuTLS as TLS/SSL library, setting CURLOPT_SSL_VERIFYPEER option to 0 (i.e. disabling verification that the certificate is valid and was issued by a trusted certificate authority) also disabled server name checks regardless of the value of the CURLOPT_SSL_VERIFYHOST option. This caused libcurl to skip name checks while an application using the library could expect it to be performed.
Note: Only enabling VERIFYHOST while disabling VERIFYPEER is insecure unless the application perfor
Bugzilla
CVE-2013-4545 mingw-curl: curl: TLS/SSL certificate name check disabled with peer verification [fedora-all]
bugzilla·2013-11-17·CVSS 4.3
CVE-2013-4545 [MEDIUM] CVE-2013-4545 mingw-curl: curl: TLS/SSL certificate name check disabled with peer verification [fedora-all]
CVE-2013-4545 mingw-curl: curl: TLS/SSL certificate name check disabled with peer verification [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available
Bugzilla
CVE-2013-4545 mingw32-curl: curl: TLS/SSL certificate name check disabled with peer verification [epel-5]
bugzilla·2013-11-17·CVSS 4.3
CVE-2013-4545 [MEDIUM] CVE-2013-4545 mingw32-curl: curl: TLS/SSL certificate name check disabled with peer verification [epel-5]
CVE-2013-4545 mingw32-curl: curl: TLS/SSL certificate name check disabled with peer verification [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when availa
Bugzilla
CVE-2013-4545 curl: TLS/SSL certificate name check disabled with peer verification
bugzilla·2013-11-11·CVSS 4.3
CVE-2013-4545 [MEDIUM] CVE-2013-4545 curl: TLS/SSL certificate name check disabled with peer verification
CVE-2013-4545 curl: TLS/SSL certificate name check disabled with peer verification
Curl upstream reported an issue related to verification of connection host name against server name specified in a TLS/SSL server certificate. When libcurl was built using OpenSSL as TLS/SSL library, setting CURLOPT_SSL_VERIFYPEER option to 0 (i.e. disabling verification that the certificate is valid and was issued by a trusted certificate authority) also disabled server name checks regardless of the value of the CURLOPT_SSL_VERIFYHOST option. This caused libcurl to skip name checks while an application using the library could expect it to be performed.
Note: Only enabling VERIFYHOST while disabling VERIFYPEER is insecure unless application performs its own peer verification equivalent to the verification
http://curl.haxx.se/docs/adv_20131115.htmlhttp://lists.opensuse.org/opensuse-updates/2013-12/msg00047.htmlhttp://lists.opensuse.org/opensuse-updates/2013-12/msg00053.htmlhttp://www.debian.org/security/2013/dsa-2798http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://www.ubuntu.com/usn/USN-2048-1https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322http://curl.haxx.se/docs/adv_20131115.htmlhttp://lists.opensuse.org/opensuse-updates/2013-12/msg00047.htmlhttp://lists.opensuse.org/opensuse-updates/2013-12/msg00053.htmlhttp://www.debian.org/security/2013/dsa-2798http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://www.ubuntu.com/usn/USN-2048-1https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322
2013-11-23
Published